WICG / isolated-web-apps

Repository for explainers and other documents related to the Isolated Web Apps proposal.
Other
223 stars 19 forks source link

How does discord/slack work and prefer to self host then? #39

Open technikhil314 opened 4 months ago

technikhil314 commented 4 months ago

I know this is very basic query and may be even naive one. But from the quote below which I read in the readme

developers of the private messaging application Signal https://github.com/signalapp/Signal-Desktop/issues/871 that it was more secure to distribute their application as a versioned and signed package through an application store. They were concerned that self-hosting a web app would put their users at risk if their servers were compromised to serve malicious code.

I am wondering how does discord/slack make their apps secure? I know they must be using integrity attribute on subresource level but with new features in chrome dev tool to override response content and all isnt it more insecure and shouldnt slack/discord recommend to download app instead and decommision web app totally?

reillyeon commented 4 months ago

Those services have a different threat model because they don't support end-to-end encrypted messaging. Without that feature you can assume your own servers are trustworthy, which Signal does not.